Preservation copies downloads in AtoM 2.7

[cassi...@gmail.com]

Hi everyone!

I would like to know why the version 2.7 allowed users to direct download files from

Archivematica Storage? My concern is if this new feature could not become a security vulnerability to the storage service.

Besides, in the "preservation copies" area, is just the original file's object and AIP that can be downloaded? The "preservation copy" cannot be downloaded through AtoM's interface in any way or is it just a default configuration that disables the "preservation copy" download?

Thank you for your time.

Best regards,

[Dan Gillean]

Hi there, 

Some clarifications on this new feature: 

• This feature is only available to authenticated users
• It requires configuration to work - it will not be a surprise default out of the box for those who use both Archivematica and AtoM. You first need to enable a plugin, then enter a number of credentials, and then restart some services - so it won't happen by accident. 
• Users do not get access to Archivematica in general. When the functionality is configured and enabled, clicking a download link will open a new blank tab. This tab will stay open and blank while the download of the requested file is completed by the browser - however, it does not allow users to get to Archivematica in any way. 

You can read more about this in the following documentation sections: 

• https://www.accesstomemory.org/docs/latest/user-manual/administer/settings/#storage-service
  
• https://www.accesstomemory.org/docs/latest/user-manual/import-export/upload-digital-object/#digital-object-metadata-for-preservation-files

For those who also use Archivematica, this is intended for a number of possible uses. For example: 

• For administrators, it's just a time saver - you don't need to copy the AIP UUID, open Archivematica, navigate to the Storage Service, search, and then download the AIP - you can instead click a button in AtoM and get the package directly. 
• Because the related Groups security configuration file can be edited by a system administrator, this can also be used by institutions who wish to allow a subset of researchers access to preservation copies. This can be particularly useful in cases where AtoM is not able to generate access derivatives or that require additional tools to view properly, such as CAD files. An administrator could create a custom user group, add it to the permissions, and then on request create a user account in that group to give someone the ability to download copies of the related AIPs. One could possibly even then configure Nginx to restrict this by IP, so the functionality is only supported in a reading room, for example. 

The feature was sponsored by an institution that had a specific use case in mind, but we have tried to generalize the functionality to make it both optional and (hopefully) broadly useful if enabled. If you are concerned about the potential impacts of the feature, simply do not enable it - you can ensure it won't work by navigating to Admin > Plugins, and making sure that the arStorageServicePlugin is disabled. 

You can also control what digital object metadata is shown to public users via the Visible elements module. While the download links (if configured) should by default only be available to authenticated users, you can also control the display of all other DO metadata elements. If desired, you can hide all Preservation metadata fields from public users this way - simply uncheck all relevant boxes: 

See: https://www.accesstomemory.org/docs/latest/user-manual/administer/visible-elements/#hide-or-show-digital-object-metadata-fields

(Note: I noticed in finding this Visible Elements link that the docs have not yet been updated to reflect the options shown in the screenshot above. I've filed a documentation issue ticket for this, so we can address this soon)

Let me know if you have further questions! 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/d2c43b5c-bcd1-45fc-80b5-5cf30892a36dn%40googlegroups.com.

[Cássio Pires]

Thank you for the explanation, Dan. Actually, we also do have a specific use case in mind, and security is our main concern. We will make more tests with this new feature. No further questions at this point.

Cheers,

You received this message because you are subscribed to a topic in the Google Groups "AtoM Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ica-atom-users/HNzQ78BJ6CA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAC1FhZLWeEBirgFmHuwejLh-Hu9YLMgcFqS4foJ3depyhbe8FQ%40mail.gmail.com.

--

Cássio de Oliveira Pires.